We can see a hint hidden in an HTML comment, which tells us the location of the natas8 password. However, we aren't able to simply browse there since it is outside of the web root. Let's keep pressing on to see what we can find. By browsing to the 'About' page, we are presented with the following URL:

Seeing the 'page=about' parameter in the URL reminds us of a previous writeup, in which we were able to leverage an LFI/RFI vulnerability to our advantage. Let's see if this is the case here with a bogus filename:

It looks like this challenge is indeed meant to be solved using an LFI vulnerability. Let's use this to traverse back to the file containing the natas8 password: